Security and confidentiality requirements
In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Yale collect many different types of information, including financial, academic, health, human resources information, and personally identifiable information. Federal and state laws impose many obligations on Yale to protect the confidentiality of information about students, employees, and patients.
In addition to regulatory requirements, there are also requirements stipulated by other organizations when the University requests use of those organizations' data sets. In turn, every member of the University has the obligation to implement appropriate safeguards to meet these requirements.
Appropriate protections (security controls) for the confidentiality, integrity and availability of data must be implemented to comply with regulations, contracts and other agreements. Implementation of required administrative, technical & physical security controls varies, but implementation may involve substantial resources – including financial, IT and human resources. Many researchers and departments may not have the required resources and/or IT support to implement security controls, so it is critical that that there is a clear understanding of IT and information security roles and responsibilities, well in advance of entering into an agreement, grant or contract.
Federal and Connecticut state laws protect the privacy and security of Social Security numbers and financial account numbers, and this type of information is subject to strict three-lock protection in use, transmission, and storage.
Report any incidents immediately
If you suspect that a data breach of personal financial information has occurred, please contact Yale's Information Security Office immediately to report the incident.
- How to report a data security incident
- Report lost or stolen electronic media or a computing device (computer, smartphone, flash drive, hard disk, etc.)
- Information Security Office staff contact information
The federal Health Insurance Portability and Accountability Act (HIPAA) requires Yale to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic Protected Health Information, or ePHl), and Yale has adopted policies to ensure that we comply with this obligation.
All ePHI is subject to strict three-lock protection in use, storage, and transmission, and all Yale employees who have access to ePHI must pass HIPAA training.
Effective September 23, 2009, the HITECH Act 'Breach Notification for Unsecured PHI; Interim Final Rule' requires that if PHI is breached, we notify individuals, and, for breaches affecting more than 500 patients, the media and the government. Please see the information related to breach notification.
The Yale University HIPAA site is the best source of detailed information on Yale's HIPAA compliance policies and procedures, as well as information on HIPAA training and other HIPAA compliance topics.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the confidentiality of many student records. Because FERPA covers such a large variety of information and contains so many exceptions, student records may be 3-Lock, 2-Lock, or even 1-Lock data, depending on the nature of the records. For example, student disciplinary files would be subject to 3-Lock restrictions, but students' local addresses are usually 1-Lock information, even though both types of records are subject to FERPA.
If you have a specific question on how to use store, or transmit student records, contact the Office of the General Counsel or the Information Security Office. For more information on FERPA, see Yale's FERPA statement.
All Yale University faculty and staff members involved in research sponsored by the U.S. Department of Veterans Affairs (VA) must comply with all requirements for protecting VA research subjects' privacy, and VA research data security and confidentiality.
Access to a VA server
In order to connect to a WHVA server (file server) from the Yale (or a non-va.gov) network you must have a VA network ID and VA VPNaccess*. Investigators who do not currently have a VA network ID and/or who want to obtain VA VPN access should contact Sid Hammons in the VA Research Office: firstname.lastname@example.org or 203.937.3830.
Contact information for VACT Information Security Office
Michael Raffanello (Michael.Raffanello@va.gov) - 203.937.3444 or 781.687.4844
Yale University HIPAA compliance policies & information
If you perform research that generates ePHI you should consult the Yale University HIPAA site for further information on HIPAA privacy and security regulations.
dbGaP - database of Genotypes and Phenotypes which is data from National Center for Biotechnology Information (NCBI), requires a data security plan that is signed by the Chief Information Officer & Director of ITS and then submitted to Office of Grant and Contract Administration:
- Have you reviewed Security Best Practices – Level 2b requirements?
- Have you reviewed the consensus best practice standards for security configuration distributed by the Center for Internet Security (CIS) that is appropriate for your implementation?
- After completing these reviews have you discussed your plan with Information Assurance & Compliance and other ITS staff, so that you understand what support will be required and any resources or costs associated with that support?
Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines for electronic records and electronic signatures . Part 11 defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data.
- If your protocol is a partnership with a pharmaceutical/biotech company, that organization may take ownership/management/security of the computing devices used at Yale. Compliance may only be required if Yale computing devices or storage media are used.
- There may be requirements for certification that the EHR (Electronic Health Record) application you are using is compliant. Currently, the YNHH EPIC EHR is not compliant and there are no plans to bring it into compliance.
- The Connecticut personnel file statute, which protects employee records
- The Connecticut statute on the security of confidential electronic information, which protects Social Security numbers and financial account numbers.
- DoD rule (48 CFR 204 and 252) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a contract clause requiring a contractor to notify DoD if the contractor is required to report its activities under the U.S.-International Atomic Energy Agency Additional Protocol.
- Foreign data privacy and security laws:
- National Longitudinal Study of Adolescent Health (Add Health) –University of North Carolina requires a security plan for restricted-use data.
- U.S. Bureau of Labor Statistics National Longitudinal Surveys Children and Young Adults (NLSY geocode data) requires application documentation, including data security content.